Package: tshark
Version: 1.8.2-5wheezy1
Severity: important
Hi,
tshark's man page says:
When writing packets to a file, TShark, by default, writes the file
in libpcap format [..]
and also says:
-F <file format>
Set the file format of the output capture file written using the
-w option. The output written with the -w option is raw packet
data, not text, so there is no -F option to request text output.
The option -F without a value will list the available formats.
However:
1) tshark uses the pcap-ng format, not the libpcap format.
2) the -F switch does not work.
The problem can be produced with:
$ sudo tshark -i lo -w - > f ; file f
[..]
f: pcap-ng capture file - version 1.0
$ sudo tshark -F libpcap -i lo -w - > f ; file f
[..]
f: pcap-ng capture file - version 1.0
In both cases, I would expect tshark to use the libpcap format, like
tcpdump:
$ sudo tcpdump -i lo -w - > f ; file f
[..]
f: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length
65535)
The version in experimental (1.9.1-1) is also affected.
The version in squeeze is not affected.
This breaks the "use tshark or dumpcap as a remote probe over SSH" use
case described in http://wiki.wireshark.org/CaptureSetup/Pipes :
$ wireshark -k -i <( ssh root@host tshark -i eth0 -w -)
Wireshark displays "Unrecognized libpcap format", since only libpcap
format is supported in that mode.
A workaround is to use tcpdump to capture packets on the remote host.
Lucas
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (990, 'testing'), (800, 'stable'), (300, 'unstable'), (150,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages tshark depends on:
ii libc6 2.13-38
ii libglib2.0-0 2.33.12+really2.32.4-5
ii libpcap0.8 1.3.0-1
ii libwireshark2 1.8.2-5wheezy1
ii libwiretap2 1.8.2-5wheezy1
ii libwsutil2 1.9.1-1
ii wireshark-common 1.8.2-5wheezy1
ii zlib1g 1:1.2.7.dfsg-13
tshark recommends no packages.
tshark suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
